The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.

Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual

GDPR - Sensitive Personal Data

Definition under the DPA: personal data consisting of information as to:

(a) the racial or ethnic origin of the data subject;

(b) his political opinions;

(c) his religious beliefs or other beliefs of a similar nature;

(d) whether he is a member of a trade union;

(e) his physical or mental health or condition;

(f) his sexual life;

(g) the commission or alleged commission by him of any offence; or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

NB: - Implied consent is consent which is not expressly granted by a person, but rather implicitly granted by a person's actions and the facts and circumstances of a particular situation (or in some cases, by a person's silence or inaction).